Patch 5.2 interview with Dave Kosak
Inside an old alt's vault
The latest patch 5.2 news
All of the latest Mists of Pandaria newsBattle.net authenticator process updated with smarter log-in detection
by Mathew McCurley 
Jun 16th 2011 at 7:00PM
Blizzard wants make the authentication process less intrusive and this is a first step towards that goal. Right now, having to input a code each and every log in is a pain, sure, but it also makes me feel secure. I'm never going to say no to more security, however, and if the system is something that can accurately figure out where I am and let me on, that's great.
This doesn't take into consideration the circumstance where you use an authenticator to prevent access to WoW, even from the home PC. I know some parents who use a simple password that their kids can remember but use the authenticator as the gate to prevent unwanted play. Maybe there will be an opt-out feature of some kind to always ask for the code.
You can check out the Battle.net account security page or check out the Blizzard mobile site for application information. For more information on this specific change to the authenticator system, follow me after the break.
If you use an authenticator – and we hope you do – you may soon notice that an authenticator prompt may not appear with every login. We've recently updated our authentication system to intelligently track your login locations, and if you're logging in consistently from the same place, you may not be asked for an authenticator code. This change is being made to make the authenticator process less intrusive when we're sure the person logging in to your account is you.
We hope to continue improving the authenticator system to ensure the same or greater security, while improving and adding features to make having one a more user friendly experience. If you don't already have a Battle.net Authenticator attached to your account, don't wait until it's too late - http://us.battle.net/en/security/checklist
If you have comments, concerns, or feedback regarding this change, please visit this thread to voice them so we can consolidate your thoughts. Thanks!
Original Thread: http://us.battle.net/wow/en/forum/topic/2674529777
We hope to continue improving the authenticator system to ensure the same or greater security, while improving and adding features to make having one a more user friendly experience. If you don't already have a Battle.net Authenticator attached to your account, don't wait until it's too late - http://us.battle.net/en/security/checklist
If you have comments, concerns, or feedback regarding this change, please visit this thread to voice them so we can consolidate your thoughts. Thanks!
Original Thread: http://us.battle.net/wow/en/forum/topic/2674529777
Filed under: Blizzard, Account Security
Reader Comments (Page 2 of 7)
thawedtheorc Jun 16th 2011 7:06PM
Sounds good at first. My only concern would be if someone hacks someone's computer, they can get and spoof the IP address as well. Then they have the username and password and will be able to log on without an authenticator.
Someone tell me I am wrong here.
Kaphik Jun 16th 2011 7:10PM
Nope, not wrong, my thoughts exactly.
MysticalOS Jun 16th 2011 7:23PM
this only matters if maybe they use YOUR computer to login.
trust me when i say blizz is using more then just a mere ip address to cache your logins, they have specs, they have hardware IDs, geographical locations. Someone with same IP isnt just gonna login without code and get away with it unless they literally use YOUR computer to do it, but at that point, the authenticator is least of your problems, but rathor, why someone is on YOUR computer over a remote connection and you need to get your PC in order.
as for concern about household things, Wives, kids etc. Well, that's not really waht blizz designed authenicator for, that's what they made parental controls and regular passwords for.
velidra Jun 16th 2011 8:26PM
@MysticalOS none of which can't be spoofed by someone with enough knowledge.
John Jun 16th 2011 7:29PM
They didn't say they were doing it by ip address. It could be MAc address, router traces, stack signatures, geolocation or any combination of. Im sure Blizz has already thought about college campuses and the like so they may use system info and a combination of all of the above to generate unique keys for systems.
Hackable? Everything is. Something to worry about? I trust the Blizzard folks to be better developers and know their systems better than I do.
Henrah Jun 16th 2011 7:54PM
"but rathor, why someone is on YOUR computer over a remote connection and you need to get your PC in order."
Even if this is the case...
The original authentication method prevented you from this very scenario.
I'd actually say that that was half of it's point.
If everyone was perfect in every way and kept their PCs in perfect order - we wouldn't need these little gadgets in the first place.
Aalokor Jun 16th 2011 7:57PM
Technically, this can be more secure, since it alleviates some of the risk of keyloggers
thawedtheorc Jun 16th 2011 11:26PM
ah thanks. I was thinking the have to have some other way to tell what machine we are using.
Joseph Smith Jun 19th 2011 11:53AM
"so they may use system info and a combination of all of the above to generate unique keys for systems"
And once the hackers determine what the algorithm is to determine this information, all they need to do is insert code into their keyloggers to capture this from your computer along with your username/pwd. Since this hash is UNCHANGING, it will always be valid. Unlike the authenticator, which IS a continuously changing code.
Alternatively, they can just continue using man in the middle attacks, which instead of stealing your authenticator code, will steal the 'location id' that blizz has put in.
I don't pretend to know what's happening on Blizzard's side for the authentication, but then I'm not the party that's interested in finding ways around it. Trust me when I say that the gold farmers are already hard at work trying to determine how to get around Blizzard's code without needing the authenticator information, now that the possibility exists.
Skyrei Jun 16th 2011 7:07PM
Boy! Had me goin...
Revynn Jun 16th 2011 7:09PM
Its been tracking login location for a long time. Twice I've taken my laptop in the road with me to play WoW on vacation and both times I've needed to change my password. I log in, the servers say "Hey, you don't live in Arizona!" and my account is frozen until I change my PW.
Lissanna Jun 16th 2011 7:11PM
Right, and my hope is that it'll flag for an authenticator # at that point instead of auto-locking you, which would be WAAAAAY less annoying.
Arivia Jun 16th 2011 7:15PM
I got flagged in and needed to reset my password after the entire Internet went down for a minute due to a power outage around here recently.
It was kind of silly. Same computer, two minutes later - "YOUS A HACKER"
MysticalOS Jun 16th 2011 7:26PM
Arivia, blizzards checker checks for odities. such as say a completely different route or ISP all of a sudden. when your ISP went down it's possible they restored connectivity by rerouting. and blizz is like "same computer but his connection is being rerouted" and flagged it as a possible hijacking of someone rerouting your connection through insecure channels. Inconvinience yes, but it's not without purpose.
cyanea85 Jun 17th 2011 8:10AM
That system is hilariously flakey though.
I go to school in the same state that I live. Two hours apart. Played at school, came home, got flagged for a reset.
I spend much of my breaks at my boyfriend's place in Virginia (three states away). Haven't been flagged once.
Alyosha Jun 16th 2011 7:12PM
I am thrilled with this change! I've left my authenticator at work before and just had to forgo any WoW or Starcraft II. Plus, the extra amount of time it takes to log in with an authenticator drives me crazy. I know it is only a few extra seconds, but it can feel like such a hassle. This sounds like a practical solution.
Joseph Smith Jun 18th 2011 12:53PM
Now you'll just have the opposite problem. You'll stop using your Authenticator because you don't need it anymore. Then you'll go on a trip, not thinking to bring it because you never need it anymore. You get to your destination and are either A) Unable to play for the duration, or B) Have to call Blizz and take it off your account so you can play, therefore leaving your account wide open for attacking.
At the worst, having to take the extra couple of seconds is a habit, and gives me a warm fuzzy knowing that I won't be logging in to an empty char screen.
Balgus Jun 16th 2011 7:14PM
I should've known better than to reply first to a post. Now there are gonna be a million emails in my folder telling me someone's replied saying the exact same thing as someone else. *sigh*
JattTheRogue Jun 16th 2011 7:16PM
I've wondered why something like this couldn't be done before. My online bank account lets me register any computer I want to turn off a couple security features and forces me to answer security questions if I try to log in on a different computer. This seems a lot like that.
Kaphik Jun 16th 2011 7:16PM
Considering the recent Sony debacle, this seems on the surface to be a bit of a step backwards for account security.